GDRP Compliance in Spreadsheets

Europe’s General Data Protection Regulation (GDPR) is a new law governing data protection and privacy for citizens of the European Union. Its aim is to give individuals control over their data and simplify existing regulations. GDPR becomes enforceable on May 25th 2018 and companies that are found to not comply with the regulation can be fined up to €10 million or 2% of worldwide revenue.

Spreadsheets are the least controlled data repositories for the most companies and are therefore the most prone to be non-compliant with GDPR regulations. In this article, we will give you recommendations to manage GDPR compliance for your spreadsheets.

What data is covered under GDPR?

The regulation applies to companies that are located in the EU or that control or process data of people located in the EU. GDPR covers all personal data which is defined by the European Commission as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

What are the responsibilities of data controllers and processors?

Data controllers must implement protective measures for personal data. This includes “pseudonymizing” personal data as soon as possible, so that data points cannot be linked to a persons name or ID. Further, data may not be processed unless there is a lawful basis to do so. A lawful basis includes the explicit consent of the data subject, for legal compliance, and to perform a contract to which the data subject is the party, among others.

How does this impact the governance of spreadsheets?

Virtually all companies either store in, or download their data to, spreadsheets for analysis and reporting. Frequently this means it leaves a controlled environment (such as an ERP) and goes to an uncontrolled environment (e.g. a spreadsheet which can be freely shared among colleagues and others). GDPR does not prohibit your company from storing personal data, it requires that you have proper controls over it, including knowing what information you have, where it is stored, and whom has access. The steps to ensuring your spreadsheets are GDPR compliant are:

Know which spreadsheets contain personal data

Delete spreadsheets that are not essential to day-to-day operations

Restrict access to said spreadsheets to only those that need to know

Routinely repeat steps 1-3 to assure that you are in constant compliance